A data breach at hospital systems giant Advocate Aurora Health may have exposed the information of up to 3 million patients using its online patient portals and other tools, the system said.
Advocate Aurora, which has 27 hospitals in Illinois and Wisconsin, said disclosed patient data could include IP addresses; dates, times and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; Information about the patient’s provider; types of appointments or procedures; and communication between patients and others on MyChart.
Attorney Aurora said in a statement on his website that he had launched an internal investigation and did not believe any social security numbers, financial accounts, credit card or debit card information was leaked.
The system said the breach is unlikely to result in identity theft or financial damage, and found no evidence of misuse of information or fraud.
The health system cited the pixel technology as the cause of the breach. The pixels in question are pieces of code that companies use to track how consumers use their websites and applications.
Attorney Aurora said in the statement that he has learned that pixels and similar technologies installed on its patient portals, as well as on some of its scheduling widgets, are sending patient information to the outside vendors that supply the pixels. People who were logged into their Facebook or Google accounts at the same time may have been particularly affected, attorney Aurora said.
According to the statement, the hospital system has since disabled or removed the pixels. A spokeswoman could not immediately answer a question Thursday afternoon about when those pixels were removed or disabled.
“We take patient privacy very seriously, employ robust internal controls to protect patient data, and are committed to complying with all laws that apply to our operations,” Advocate Aurora said in a statement. “Like others in our industry, we have used internet tracking technologies to improve the consumer experience on our websites and to encourage individuals to take the necessary precautionary measures. We thoroughly evaluate the information we collect and track.”
Other hospital systems have also been dealing with privacy issues related to pixel technology in recent months. A lawsuit filed against Meta in federal court in California alleges that hundreds of hospital and medical provider websites use the technology.
A patient at Northwestern Memorial Hospital, who lives in Skokie, filed a lawsuit against Northwestern, Meta and Facebook in federal court in August, alleging that the hospital, Meta and Facebook “used Meta Pixel to collect the private medical information of patients at the… Northwestern Memorial Hospital to unlawfully collect and use that data for its own benefit,” the complaint reads. This lawsuit is seeking class action status.
Two patients of the Rush hospital system filed a similar lawsuit in federal court on Sept. 30, alleging that the Rush University System for Health “discloses personally identifiable patient information of plaintiffs and group members, including their status as patients and the content of their communications with Rush.” , to third parties, including Facebook, Google and a digital advertising company.” This lawsuit also involves pixel technology.
Rush said in a statement, “RUSH is deeply committed to patient privacy and takes with the utmost urgency any conclusion that data has been inappropriately shared. We are aware of and investigating the lawsuit and intend to vigorously defend RUSH against the plaintiffs’ claims.”
A spokesman for Northwestern said Thursday the system does not comment on pending litigation.
North Carolina-based system WakeMed Health & Hospitals notified patients on its website last week that some of their information may have been exposed through pixels provided by Facebook.
Attorney Aurora reported her violation to the US Department of Health and Human Services’ Office of Civil Rights. Healthcare systems must report breaches of protected health information involving 500 or more people to this office, which publishes reports on a public website nicknamed the Wall of Shame. The Office of Civil Rights investigates such violations and may impose fines on healthcare systems, depending on the severity.
Advocate Aurora’s breach is the largest healthcare data breach reported to the bureau this year.
Data breaches have plagued hospital systems across the country for years as hospitals try to keep up with ever-changing technology, evolving cybercriminal activity, and competing demands for their money and time.
Patients with questions about Advocate Aurora’s violations may call 866-884-3206 Monday through Friday, 7:00 a.m. to 7:00 p.m. and Saturday, 9:00 a.m. to 2:00 p.m